Skip to content

Step 8 - Anchore

SonarQube checks the code, but Anchore checks the container. It scans the OS packages inside your Docker image for known CVEs.

Jenkinsfile

Here is the Jenkinsfile for this step. Source code: 30-08-Jenkinsfile-sonarqube-docker-build-push-anchore-deploy.

pipeline {
    agent any
    options {
      disableConcurrentBuilds()
      disableResume()
      buildDiscarder(logRotator(numToKeepStr: '10'))
      timeout(time: 1, unit: 'HOURS')
    }
    tools {
        maven 'maven-3.6.3' 
    }
    environment {
        DATE = new Date().format('yy.M')
        TAG = "${DATE}.${BUILD_NUMBER}"
        scannerHome = tool 'sonarscanner'
    }
    stages {
        stage ('Build') {
            steps {
                sh 'mvn clean package'
            }
        }
        stage('SonarQube analysis') {
            steps {
                withSonarQubeEnv('sonarqube') {
                    sh "${scannerHome}/bin/sonar-scanner"
                }
            }
        }
        stage("SonarQube Quality gate") {
            steps {
                waitForQualityGate abortPipeline: true
            }
        }
        stage('Docker Build') {
            steps {
                script {
                    docker.build("vigneshsweekaran/hello-world:${TAG}")
                }
            }
        }
        stage('Pushing Docker Image to Dockerhub') {
            steps {
                script {
                    docker.withRegistry('https://registry.hub.docker.com', 'docker_credential') {
                        docker.image("vigneshsweekaran/hello-world:${TAG}").push()
                        docker.image("vigneshsweekaran/hello-world:${TAG}").push("latest")
                    }
                }
            }
        }
        stage('Anchore Scanning') {
            steps {
                script {
                    def imageLine = "vigneshsweekaran/hello-world:${TAG}"
                    writeFile file: 'anchore_images', text: imageLine
                    anchore name: 'anchore_images', bailOnFail: false
                }
            }
        }
        stage('Deploy'){
            steps {
                sh "docker stop hello-world | true"
                sh "docker rm hello-world | true"
                sh "docker run --name hello-world -d -p 9004:8080 vigneshsweekaran/hello-world:${TAG}"
            }
        }
    }
  post {
    always {
      deleteDir()
    }
  }
}

Detailed Explanation

Anchore Scanning Stage

  • writeFile: We create a temporary file named anchore_images containing the image name (vigneshsweekaran/hello-world:${TAG}). Anchore needs this file to know what to scan.
  • anchore step:
    • name: Points to the file we just created.
    • bailOnFail: false: This setting allows the pipeline to continue even if vulnerabilities are found. If set to true, the build would stop immediately if it detects critical issues (High/Critical CVEs).

Important Tips

Tip

In a real production pipeline, you should set bailOnFail: true to prevent deploying vulnerable images. We use false here for demonstration purposes so the tutorial pipeline finishes.

Next Step: Deploy to Kubernetes

Quick Quiz

Quick Quiz

#

What kind of scanning does Anchore perform?

#

What does bailOnFail: false mean in the anchore step?

#

How does the anchore step know which image to scan?

📬 DevopsPilot Weekly — Learn DevOps, Cloud & Gen AI the simple way.
👉 Subscribe here